Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Analytics BIOC Rules - Causality Change - No. of alerts rising, but where to see who, why and what?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Analytics BIOC Rules - Causality Change - No. of alerts rising, but where to see who, why and what?

L3 Networker

Hello Admins, 

 

We use Analytics BIOC Rules. But where is the Causality Change? No of alerts rising, but where to see who, why and what?

 

Thank you! 

 

BR

 

Rob

2 REPLIES 2

L4 Transporter

Hi @Cyber1985 

you can go to the Incidents page, then to the alerts table there you can scroll to the right to see all the columns and fields populated, CGO (Causality Group Owner), paths, processes....

If you click on the 3 dots menu at the top right corner of the alerts table you will see more columns and fields that are not shown by default. You can select them and incorporate them to your view. 

I believe that you'll find there all you'r looking for. 

I hope this helps.

KR,

Luis

Just as an example: 

 

eluis_0-1652082866383.png

 

L3 Networker

Hi @Cyber1985 It appears that you looking for guidance on how to investigate Analytics / Analytics BIOC alert sources. From the Alert Table, you may right-click to "Investigate Causality Chain" to view the event table. In this view and depending on the analytics alert type, then you may have host, endpoint connection status, IP, MAC, account of interest (E.g. Username), Parent process ID located at the top left-hand corner of the causality view. If you click the red icon in the view, then you can view context about the alert. If you hover you mouse over the related processes in the causality, then you can review process and analytics profiles information to support your investigation. If you click on the processes in the casualty view, then you will be presented with all applicable actions (E.g. Process, Network, File, Network Connections). 

 

In the alert table, then you can also leverage "Pivot to View" options to conduct additional analysis on user / asset in scope. 

  • 1984 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!